Home/ Blog/ Security news/ Article
Blog · Security news

A new flaw lets attackers take over Quest NetVault backup servers, login or not

CVE-2026-7570 is a SQL-injection-to-remote-code-execution flaw in Quest NetVault Backup, rated 8.8. The login can be bypassed. Quest fixed it in 14.0.2.

Row of steel storage drums with one open, evoking an exposed backup server
By Noam Alum · ·Security news · 4 min read Mitigate now

The machine you count on to bring you back after a breach can be the one that lets the attacker in. Quest NetVault Backup, a commercial backup platform many enterprises run as their recovery floor, has a flaw that lets a remote attacker run code on the backup server itself. The Zero Day Initiative published the advisory (ZDI-26-368) on June 24, tracked as CVE-2026-7570 and rated 8.8 out of 10. Quest has already shipped a patch. If you run NetVault, moving to version 14.0.2 is this week's work, and the reason it jumps the queue has less to do with the score than with where the bug lives.

What the bug actually is

The flaw sits in how NetVault's web dashboard, a component named NVBUDashboard, handles JSON-RPC messages (a format software components use to send each other commands). A string the user controls gets dropped into a database query without being cleaned first. That is the textbook setup for SQL injection, catalogued here as CWE-89, where attacker-supplied text becomes part of a database command instead of staying mere data.

ZDI's analysis carries that injection all the way to remote code execution, with the attacker's code running as NETWORK SERVICE, a built-in Windows service account. The CVE record lists NetVault 14.0.0.19 as affected, and Quest's 14.0.2 release notes carry the fix.

The part that should change how you think about exposure is the authentication note. The advisory says a login is required to reach the flaw, then immediately tells you the login does not hold: the existing authentication can be sidestepped. So the usual reassurance, that the console sits behind a password, is not the control it sounds like. Anything that can talk to the dashboard is close enough to attack it.

Why a backup server is the wrong place to lose

An 8.8 on a random application server is a bad week. An 8.8 on the backup server is a different category of problem, and the score does not capture it.

Backup infrastructure is where ransomware crews go first, on purpose. The whole point of a backup is to be the thing that still works when everything else is encrypted, so removing it before the encryption starts is how a recoverable incident becomes a ransom payment. A remote-code-execution foothold on the NetVault server hands an intruder exactly that staging ground: the host that reaches every protected system, holds the catalog of what is backed up and where, and often stores or brokers the credentials used to mount those backups.

Code running as NETWORK SERVICE is not domain admin, but it does not need to be. It is a live process on the one box your recovery plan assumes is untouched, with read access to a database that maps your environment for the attacker. Treat a compromise here as a compromise of your recovery capability, not just one more server.

The nine-month gap nobody mentions

Quest received this report on September 24, 2025. It became public on June 24, 2026. That is nine months between a working write-up existing inside ZDI and the rest of us hearing about it.

The gap is not a criticism of coordinated disclosure, which is working as designed here, fix first then publish. It is a reminder that the clock on a vulnerability does not start when you read about it. By the time an advisory lands, the technique has existed for months and the details are now public for anyone to reconstruct. There is no grace period to schedule around. Patch availability and public disclosure arrived together, so the safe assumption is that exploitation interest starts now.

What to do this week

  • Update NetVault to 14.0.2. Quest tracks the fix internally as NV-4863, listed in the release notes as web UI security fixes, and the CVE references that release as the remediation.
  • Get the management console off the public internet. Because the login can be bypassed, network reachability is the real boundary, not authentication. Put the dashboard behind a VPN or a management network and restrict who can reach it to the hosts that genuinely need to.
  • Hunt before you assume you are clean. Look for unexpected child processes spawned by the NetVault web service running as NETWORK SERVICE, database errors or malformed JSON-RPC requests against the dashboard in NetVault logs, and any outbound connections originating from the backup host that you cannot account for.
  • Re-check your recovery assumptions. If the backup server were owned, would you know, and is there an offline or immutable copy that a foothold on this host cannot reach? This bug is a good prompt to answer that for real.

Being second to patch a backup-server bug is not a position you want to defend after an incident. The fix exists, the exposure is the box you least want compromised, and the disclosure window is already open.

Frequently asked questions

What is CVE-2026-7570?

CVE-2026-7570 is a SQL injection flaw in Quest NetVault Backup that an attacker can escalate to remote code execution on the backup server. The Zero Day Initiative disclosed it on June 24, 2026 as ZDI-26-368, with a CVSS score of 8.8. Quest has released a fix.

How do I fix CVE-2026-7570 in NetVault?

Upgrade Quest NetVault Backup to version 14.0.2, which contains the fix Quest tracks as NV-4863. The CVE record lists 14.0.0.19 as affected and points to the 14.0.2 release notes as the remediation. Apply it promptly, since the patch and the public disclosure arrived together.

Does the authentication requirement protect me from CVE-2026-7570?

No. The ZDI advisory states that the authentication required to reach the flaw can be bypassed, so a login does not stop the attack. Treat network reachability to the dashboard as the real boundary and restrict it to hosts that genuinely need access.

Is CVE-2026-7570 being actively exploited?

There is no public report of in-the-wild exploitation as of the June 24, 2026 disclosure, and it is not on CISA's exploited-vulnerabilities list yet. The flaw was reported to Quest nine months earlier, so the technical details are now public and the safe assumption is that exploitation interest follows quickly.

Why is a vulnerability in backup software treated as more serious?

Backup servers are a primary ransomware target because destroying recoverable backups turns a survivable incident into a ransom payment. A remote-code-execution foothold on the NetVault server gives an attacker access to the host that reaches every protected system and the catalog of what is backed up.
Keep reading
Security news

Two flaws in Unraid's control panel let a logged-in user seize the whole server

Two command injection flaws in Unraid's web panel, CVE-2026-9772 and CVE-2026-9773, let any logged-in user run code as www-data. Both are fixed in version

Suriq's Jack · Jun 25, 2026
Security news

A rigged container image can seize root on the host running Docker's AI agent tools

CVE-2026-55887 lets a malicious container image escape Docker's MCP Gateway and run code as root on the host. Rated 8.7. Affected 0.21.0 to 0.42.1; fixed in

Suriq's Jack · Jun 25, 2026
Security news

Police seized the malware that stole 27 million passwords. The passwords still work.

Operation Endgame seized the servers behind the Amadey and StealC malware, but the 27 million credentials they already stole stay valid until you rotate them.

Suriq's Jack · Jun 24, 2026

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.

Request access Meet the clan